updated 04:50 pm EDT, Tue May 1, 2007
QuickTime 7.1.6 fixes flaw
In addition to its fix for its security update, Apple on Tuesday also released QuickTime 7.1.6 (Windows), which it said delivers numerous bug fixes, addresses a critical security issue with QuickTime for Java and includes support for Final Cut Studio 2 and Timecode and closed captioning display in QuickTime Player. Apple said the update is available for Mac OS X v10.3.9 and Mac OS X v10.4.9 as well as Windows XP SP2 and Windows 2000 SP4; the QuickTime update addresses a bug where visiting a malicious website may lead to arbitrary code execution: "An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution."
Apple said that the update addresses the issue by performing additional bounds checking when creating QTPointerRef objects. The bug was first reported by Dino Dai Zovi working with TippingPoint and the Zero Day Initiative, according to update documentation.